Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM Deployment issue.

Hi,

Please see the attached network diagram...

We are looking at a management firewall (admin context) with multiple client firewalls. The management firewall will have a number of management servers that will need to access servers on the client firewalls.

Is this a supported configuration for the FWSM?

At the moment there seem to be routing issues as pings can go from one server to the other but the ping reply is never seen.

Thanks,

Chris

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: FWSM Deployment issue.

Hi Chris

I'm not completely clear from the diagram on your setup but it is a bit early in the morning and i haven't had my 5 cups of coffee yet :-)

In answer to your question though, yes this is a supported design for the FWSM. You can achieve this in one of 2 ways

1) configure access on each of the client firewalls to allow the management servers access. This means updating access-lists on all contexts if you change or add management servers.

2) Have a shared vlan that all the contexts can access. This works but you have to understand how the FWSM classifier works. On our FSWM's we share the outside vlan but do not use any other shared vlans. As i say tho, you can do this.

The FWSM config guide has a good explanation of how the classifier works

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00802c6418.html#wp1105332

HTH

Jon

3 REPLIES
Hall of Fame Super Blue

Re: FWSM Deployment issue.

Hi Chris

I'm not completely clear from the diagram on your setup but it is a bit early in the morning and i haven't had my 5 cups of coffee yet :-)

In answer to your question though, yes this is a supported design for the FWSM. You can achieve this in one of 2 ways

1) configure access on each of the client firewalls to allow the management servers access. This means updating access-lists on all contexts if you change or add management servers.

2) Have a shared vlan that all the contexts can access. This works but you have to understand how the FWSM classifier works. On our FSWM's we share the outside vlan but do not use any other shared vlans. As i say tho, you can do this.

The FWSM config guide has a good explanation of how the classifier works

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00802c6418.html#wp1105332

HTH

Jon

New Member

Re: FWSM Deployment issue.

Looks like the problem was nat-control needed to be configured. This has now resolved all the problems.

New Member

Re: FWSM Deployment issue.

Hi

You can share the same network between two virtual firewall but you have to configure nat-control to deal with it. But the simples way to deal with this is to split the vlan101 and vlan16 with a router, if you have sup720 you can use vrf or you can use a new hardware.

Best regards Stefan (sweden)

270
Views
0
Helpful
3
Replies